跳转至

Direct oep

EN | ZH The so-called one-step OEP shelling method is based on the characteristics of the shelling, looking for the assembly instruction closest to OEP, then the int3 breakpoint, and the dump program when the program goes to OEP.

For example, some compression shells tend to be particularly close to OEP or large jmp. Therefore, using Ollydbg's search function, you can search the shell's feature assembly code to achieve the effect of one step breakpoint to OEP.

要点

  1. ctrl+f find popad
  2. ctrl+l jumps to the next match
  3. Find the match, confirm that the shell is ready to jump to the OEP part, then set the breakpoint to run there.
  4. Only for a very small number of compression shells

example

The sample program can be downloaded here: 3_direct2oep.zip

Still use the original notepad.exe to illustrate, after opening with Ollydbg, we press ctrl+f to find the specified string, like popad is a typical feature, some shells are commonly used. Popadto restore state, so search forpopad` as shown below.

direct2oep_01.png

In this example, when the searched 'popaddoes not meet our requirements, you can pressctrl+l` to search for the next match, about three or four times, we found a jump to OEP. Location.

direct2oep_02.png


评论